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DETAILED ACTION 

1 . This is in response to the communications filed on 29 March 2007. 

2. Claims 1-7, 9 and 10 are pending in the application. 

3. Claims 1-7, 9 and 10 have been rejected. 

4. Claim 8 has been cancelled in a preliminary amendment. 

Information Disclosure Statement 

5. The examiner has considered the information disclosure statement (IDS) filed on 23 
December 2004. 

Claim Objections 

6. Claims 1, 6 and 7 are objected to because of the following informalities: misspelling. The 
word "unauthorized" has been misspelled as "unauthorised". Appropriate correction is required. 

Claim Rejections - 35 USC § 102 
The following is a quotation of the appropriate paragraphs of 35 U.S.C. 102 that form the 
basis for the rejections under this section made in this Office action: 

A person shall be entitled to a patent unless - 

(e) the invention was described in (1) an application for patent, published under section 122(b), by another filed 
in the United States before the invention by the applicant for patent or (2) a patent granted on an application for 
patent by another filed in the United States before the invention by the applicant for patent, except that an 
international application filed under the treaty defined in section 351(a) shall have the effects for purposes of this 
subsection of an application filed in the United States only if the international application designated the United 
States and was pubhshed under Article 21(2) of such treaty in the English language. 

7. Claims 1, 2 and 6 are rejected under 35 U.S.C. 102(e) as being anticipated by Vaidya U.S. 
Patent No. 6,279,113 Bl. 

As to claim 1, Vaidya discloses an intrusion detection system for detection of intrusion or 
attempted intrusion by an unauthorized party or entity to a computer system or network (V aidya 
discloses a dynamic network-based signature inspection network Intrusion Detection System 
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(IDS) includes a central data repository 12 and multiple data collectors 10 located on a network 
such as a Local Area Network 11 (LAN). Although the data collectors 10 are illustrated as 
stand-alone devices, the function of a data collector can be included on other devices in the 
network, such as a server or a router/firewall/switch 20. Multiple data collectors 10 are 
preferred when the LAN 1 1 includes multiple network objects which the IDS must monitor for 
network intrusions [column 5, lines 5-26]). Vaidya discloses the intrusion detection system 
comprising means for monitoring activity relative to the computer system or network (Vaidya 
discloses that multiple data collectors 10 are preferred when the LAN 11 includes multiple 
network objects which the IDS must monitor for network intrusions [column 5, lines 26]). 
Vaidya disclose means for receiving and storing one or more general rules. Vaidya discloses 
that each of the general rules being representative of characteristics associated with plurality of 
specific instances of intrusion or attempted intrusion (Vaidya discloses that in step 56 the 
communication module 30 of the data repository 12 distributes the signature profiles to the 
various data collectors 10 throughout the network. Upon receiving a set or sets of attack 
signature profiles, each data collector 10 stores the set or sets of profiles it receives from the 
data repository 12 in its signature profile memory 39 [column 6, lines 50-56].Vaidya discloses a 
method for the operation of the dynamic signature inspection network IDS includes the step 50 
of generating attack signature profiles. The attack signature profiles can be generic in that they 
describe generic network intrusion attempts which are common to most networks [column 6, 
lines 27-35]). Vaidya discloses matching means for receiving data relating to activity relative to 
the computer system or network from the monitoring means and for comparing, in a semantic 
manner, sets of actions forming the activity against the one or more general rules to identify an 
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intrusion or attempted intrusion (Vaidya discloses the attack signature profile is reduced to an 
expression in step 166 [column 12, lines 1-5]. Vaidya discloses that in step 180 the expression 
is evaluated to determine in step 182 if the expression matches the packet currently being 
analyzed. If the expression does not match, the virtual processor 36 retums a value of false in 
step 184. If the expression matches the packet, the virtual processor retums a value of true and 
adds the current time stamp to the application session entry in the state cache 44 in step 186 
[column 12, lines 23-29]). 

As to claim 2, Vaidya discloses that the one or more general rules forms a knowledge 
base of the system (Vaidya discloses that in step 52 sets of attack signature profiles are organized 
according to security requirements of each network object. In step 54, corresponding data that 
are indicative of which objects corresponds to which sets of attack signature profiles are stored in 
memory of the data repository 12 [column 6, lines 35-40]). Vaidya discloses that the system 
comprises means for automatically generating and storing in the knowledge base a new general 
rule representative of characteristics associated with specific instances of intrusion or attempted 
intrusion not previously taken into account (Vaidya discloses if no session entry is found in step 
102, a new session entry is created in the session cache 44 in step 106. Session data, which 
includes any matches identified by executing attack signature profile instructions on a data 
packet, are entered into the new session entry in step 108 and the session entry is entered into the 
state cache 44 in step 110 [column 9, lines 21-27]). 

As to claim 6, Vaidya discloses an intrusion detection system for detection of intrusion or 
attempted intrusion by an unauthorized party or entity to a computer system or network (Vaidya 
discloses a dynamic network-based signature inspection network Intrusion Detection System 
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(IDS) includes a central data repository 12 and multiple data collectors 10 located on a network 
such as a Local Area Network 1 1 (LAN). Although the data collectors 10 are illustrated as stand- 
alone devices, the function of a data collector can be included on other devices in the network, 
such as a server or a router/firewall/switch 20. Multiple data collectors 10 are preferred when the 
LAN 1 1 includes multiple network objects which the IDS must monitor for network intrusions 
[column 5, lines 5-26]). Vaidya discloses the intrusion detection system comprising means for 
monitoring activity relative to the computer system or network (Vaidya discloses that multiple 
data collectors 10 are preferred when the LAN 11 includes multiple network objects which the 
IDS must monitor for network intrusions [column 5, lines 26]). Vaidya discloses means for 
initially receiving and storing a knowledge base comprising one or more general rules. Vaidya 
discloses that each of the general rules being representative of characteristics associated with a 
plurality of specific instances of intrusion or attempted intrusion (Vaidya discloses that in step 56 
the communication module 30 of the data repository 12 distributes the signature profiles to the 
various data collectors 10 throughout the network. Upon receiving a set or sets of attack 
signature profiles, each data collector 10 stores the set or sets of profiles it receives from the data 
repository 12 in its signature profile memory 39 [column 6, lines 50-56]. Vaidya discloses a 
method for the operation of the dynamic signature inspection network IDS includes the step 50 
of generating attack signature profiles. The attack signature profiles can be generic in that they 
describe generic network intrusion attempts which are common to most networks [column 6, 
lines 27-35]). Vaidya discloses means for automatically generating and storing in the knowledge 
base (after the knowledge base has been initially stored) new general rules representative of 
characteristics associated with specific instances of intrusion or attempted intrusion not 
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previously taken into account (Vaidya discloses if no session entry is found in step 102, a new 
session entry is created in the session cache 44 in step 106. Session data, which includes any 
matches identified by executing attack signature profile instructions on a data packet, are entered 
into the new session entry in step 108 and the session entry is entered into the state cache 44 in 
step 110 [column 9, lines 21-27]). 

Claim Rejections - 35 USC § 103 
The following is a quotation of 35 U.S.C. 103(a) which forms the basis for all 
obviousness rejections set forth in this Office action: 

(a) A patent may not be obtained though the invention is not identically disclosed or described as set forth in 
section 102 of this title, if the differences between the subject matter sought to be patented and the prior art are 
such that the subject matter as a whole would have been obvious at the time the invention was made to a person 
having ordinary skill in the art to which said subject matter pertains. Patentability shall not be negatived by the 
manner in which the invention was made. 

8. Claims 3-5, 7, 9 and 10 are rejected under 35 U.S.C. 103(a) as being unpatentable over 
Vaidya U.S. Patent No. 6,279,113 Bl in view of "Applications of Inductive Logic 
Programming" (hereinafter Bratko). 

As to claim 3, Vaidya discloses if no session entry is found in step 102, a new session 
entry is created in the session cache 44 in step 106. Session data, which includes any matches 
identified by executing attack signature profile instructions on a data packet, are entered into the 
new session entry in step 108 and the session entry is entered into the state cache 44 in step 110 
[column 9, lines 21-27]. 

Vaidya does not teach that the means for automatically generating and storing a new 
general rule (i.e. new session entry) comprises inductive logic programming means. 

Bratko teaches inductive logic programming (ILP). Bratko teaches given background 
knowledge, expressed as a set of predicate definitions, positive examples and negative examples. 
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Bratko teaches that an ILP system will construct a predicate logic formula such that all the 
positive examples can be logically derived. Bratko teaches that no negative example can be 
logically derived [see pages 65-66]. 

Therefore, it would have been obvious to a person having ordinary skill in the art at the 
time the invention was made to have modified Vaidya so that the means for generating and 
storing a new rule (i.e. updated rules) would have been done by using inductive logic 
programming. 

It would have been obvious to a person having ordinary skill in the art at the time the 
invention was made to have modified Vaidya by the teaching of Wrobel because one of the main 
advantages of ILP is ILP's generality of representation for background knowledge. This enables 
a user to provide, in a more natural way, domain-specific background knowledge to be used in 
leaming. The use of background knowledge enables the user both to develop a suitable problem 
representation and to introduce problem-specific constraints into the leaming process [see page 
66]. 

As to claims 4, 9 and 10, Vaidya discloses that in step 56 the communication module 30 
of the data repository 12 distributes the signature profiles to the various data collectors 10 
throughout the network. Upon receiving a set or sets of attack signature profiles, each data 
collector 10 stores the set or sets of profiles it receives from the data repository 12 in its signature 
profile memory 39 [column 6, lines 50-56]. 

Vaidya does not teach that the one or more general rules is or are represented in a logic 
programming language. 
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Bratko teaches inductive logic programming (ILP). Bratko teaches given background 
knowledge, expressed as a set of predicate definitions, positive examples and negative examples. 
Bratko teaches that an ILP system will construct a predicate logic formula such that all the 
positive examples can be logically derived. Bratko teaches that no negative example can be 
logically derived [see pages 65-66]. 

Therefore, it would have been obvious to a person having ordinary skill in the art at the 
time the invention was made to have modified Vaidya so that the rules as taught would have 
been represented by inductive logic programming. 

It would have been obvious to a person having ordinary skill in the art at the time the 
invention was made to have modified Vaidya by the teaching of Wrobel because one of the main 
advantages of ILP is ILP's generality of representation for background knowledge. This enables 
a user to provide, in a more natural way, domain-specific background knowledge to be used in 
leaming. The use of background knowledge enables the user both to develop a suitable problem 
representation and to introduce problem-specific constraints into the leaming process [see page 
66]. 

As to claini 5, Vaidya discloses that multiple data collectors 10 are preferred when the 
LAN 1 1 includes multiple network objects which the IDS must monitor for network intrusions 
[column 5, lines 26]. 

Vaidya does not teach that inductive logic programming techniques are applied by the 
system to an attack an intrusion or attempted intrusion. 

Bratko teaches inductive logic programming (ILP). Bratko teaches given background 
knowledge, expressed as a set of predicate definitions, positive examples and negative examples. 



Application/ Control Number: 10/511,775 Page 9 

Art Unit: 2131 

Bratko teaches that an ILP system will construct a predicate logic formula such that all the 
positive examples can be logically derived. Bratko teaches that no negative example can be 
logically derived [see pages 65-66]. 

Therefore, it would have been obvious to a person having ordinary skill in the art at the 
time the invention was made to have modified Vaidya so that the rules of an attack would have 
been applied by inductive logic programming to derive positive examples. 

It would have been obvious to a person having ordinary skill in the art at the time the 
invention was made to have modified Vaidya by the teaching of Wrobel because one of the main 
advantages of ILP is ILP's generality of representation for background knowledge. This enables 
a user to provide, in a more natural way, domain-specific background knowledge to be used in 
leaming. The use of background knowledge enables the user both to develop a suitable problem 
representation and to introduce problem-specific constraints into the leaming process [see page 
66]. 

As to claim 7, Vaidya discloses an intrusion detection system for detection of intrusion or 
attempted intrusion by an unauthorized party or entity to a computer system or network (Vaidya 
discloses a dynamic network-based signature inspection network Intrusion Detection System 
(IDS) includes a central data repository 12 and multiple data collectors 10 located on a network 
such as a Local Area Network 1 1 (LAN). Although the data collectors 10 are illustrated as stand- 
alone devices, the function of a data collector can be included on other devices in the network, 
such as a server or a router/firewall/switch 20. Multiple data collectors 10 are preferred when the 
LAN 11 includes multiple network objects which the IDS must monitor for network intrusions 
[column 5, lines 5-26]). Vaidya discloses the intrusion detection system comprising means for 
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monitoring activity relative to the computer system or network (Vaidya discloses that multiple 
data collectors 10 are preferred when the LAN 11 includes multiple network objects which the 
IDS must monitor for network intrusions [column 5, lines 26]). Vaidya discloses means for 
initially receiving and storing in a knowledge base data representative of characteristics 
associated with one or more specific instances or classes of intrusion or attempted intrusion. 
(Vaidya discloses that in step 56 the communication module 30 of the data repository 12 
distributes the signature profiles to the various data collectors 10 throughout the network. Upon 
receiving a set or sets of attack signature profiles, each data collector 10 stores the set or sets of 
profiles it receives from the data repository 12 in its signature profile memory 39 [column 6, 
lines 50-56]. Vaidya discloses a method for the operation of the dynamic signature inspection 
network IDS includes the step 50 of generating attack signature profiles. The attack signature 
profiles can be generic in that they describe generic network intrusion attempts which are 
common to most networks [column 6, lines 27-35]). Vaidya discloses matching means for 
receiving data relating to activity relative to the computer system or network from the monitoring 
means and for comparing sets of actions forming the activity against the stored data to identify 
an intrusion or attempted intrusion (Vaidya discloses the attack signature profile is reduced to an 
expression in step 166 [column 12, lines 1-5]. Vaidya discloses that in step 180 the expression is 
evaluated to determine in step 182 if the expression matches the packet currently being analyzed. 
If the expression does not match, the virtual processor 36 retums a value of false in step 184. If 
the expression matches the packet, the virtual processor retums a value of true and adds the 
current time stamp to the application session entry in the state cache 44 in step 186 [column 12, 
lines 23-29]). 
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Vaidya does not teach that the updating means include inductive logic programming 
means for updating the stored data to take into account characteristics of further instances or 
classes of intrusion or attempted intrusion occurring after the knowledge base has been initially 
received and stored. 

Bratko teaches inductive logic progranmiing (ILP). Bratko teaches given background 
knowledge, expressed as a set of predicate definitions, positive examples and negative examples. 
Bratko teaches that an ILP system will construct a predicate logic formula such that all the 
positive examples can be logically derived. Bratko teaches that no negative example can be 
logically derived [see pages 65-66]. 

Therefore, it would have been obvious to a person having ordinary skill in the art at the 
time the invention was made to have modified Vaidya so that the updating means of the rules 
would have been done using inductive logic programming. 

It would have been obvious to a person having ordinary skill in the art at the time the 
invention was made to have modified Vaidya by the teaching of Wrobel because one of the main 
advantages of ILP is ILP's generality of representation for background knowledge. This enables 
a user to provide, in a more natural way, domain-specific background knowledge to be used in 
leaming. The use of background knowledge enables the user both to develop a suitable problem 
representation and to introduce problem-specific constraints into the leaming process [see page 
66]. 
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Conclusion 

9. Any inquiry concerning this communication or earlier communications from the 
examiner should be directed to Aravind K. Moorthy whose telephone number is 571-272-3793. 
The examiner can normally be reached on Monday-Friday, 8:00-5:30. 

If attempts to reach the examiner by telephone are unsuccessful, the examiner's 
supervisor, Ayaz R. Sheikh can be reached on 571-272-3795. The fax phone number for the 
organization where this application or proceeding is assigned is 571-273-8300. 

Information regarding the status of an application may be obtained from the Patent 
Application Information Retrieval (PAIR) system. Status information for published apphcations 
may be obtained from either Private PAIR or Public PAIR. Status information for unpublished 
applications is available through Private PAIR only. For more information about the PAIR 
system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR 
system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would 
like assistance from a USPTO Customer Service Representative or access to the automated 
information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000. 

/Aravind K Moorthy/ 
Examiner, Art Unit 2131 
/Ayaz R. Sheikh/ 

Supervisory Patent Examiner, Art Unit 2131 



